System and method for key distribution using quantum cryptography

ABSTRACT

A method of communication based on quantum cryptography is modified to include an initial step of outputting from, e.g., a transmitter, a single-photon signal, which may be unmodulated. A receiver then randomly selects one of a plurality of encryption alphabets corresponding to different, non-commuting quantum mechanical operators. The receiver modulates the single-photon signal with the selected operator and returns the signal to the transmitter. The transmitter in turn randomly selects a quantum mechanical operator and uses that operator in detecting the returned signal modulated by the receiver. Alternatively, the transmitter may randomly select one of a plurality of encryption alphabets and use that encryption alphabet in modulating the signal. The signal is then further modulated at the receiver using a predetermined encryption alphabet. When the signal is received back at the transmitter, it is detected using the same quantum mechanical operator as was initially used to modulate it. Comparison is made of the states of the single-photon signals as transmitted and received to detect the presence of any eavesdropper.

BACKGROUND TO THE INVENTION

1. Field of the Invention

The present invention relates to a system for the communication ofencrypted data using quantum cryptography.

2. Related Art

In quantum cryptography, data is encoded at the transmitter and decodedat the receiver using some specified algorithm which is assumed to befreely available to all users of the system. The security of the systemdepends upon the key to the algorithm being available only to authorisedusers. To this end, the key is distributed over a secure quantumchannel, that is a channel carried by single-photon signals andexhibiting non-classical behaviour, as further discussed below. On thequantum channel, the presence of any eavesdropper can be detected as achange in the statistics of the received data.

Hitherto, methods of communicating using quantum cryptography havecomprised the steps of:

(a) randomly selecting one of a plurality of coding alphabetscorresponding to different, non-commuting quantum mechanical operatorsand encoding a signal for transmission on the quantum channel using theselected operator;

(b) randomly selecting one of the different quantum mechanical operatorsand using that operator in detecting the signal transmitted in step (a);

(c) repeating steps (a) and (b) for each of a multiplicity of subsequentsignals;

(d) communicating between the transmitter and the receiver independentlyof the encryption alphabets to determine for which of the transmittedsignals common operators were selected for transmitting and detecting,

(e) comparing the signals transmitted and detected in steps (a) and (b)to detect any discrepancy resulting from the presence of aneavesdropper; and,

(f) in the event that in step (e) no eavesdropper is detected, using atleast some of the data transmitted in steps (a) and (b) as a key forencryption/decryption of subsequent data transmissions between the twousers of the channel. This scheme is described in detail in C. H.Bennett, G. Brassard, S. Breidbart and S. Wiesner, in "Advances incryptology: Proceedings of Crypto'82, (Plenum, N.Y., 1983); C. H.Bennett and G. Brassard, IBM Technical Disclosure Bulletin, 28 3153,(1985). Conventionally, the method has been carried out between a singletransmitter and receiver only. Our co-pending international applicationentitled "Quantum Cryptography on a Multiple Access Network" and filedthis day, (PCT/GB94/01952), the subject matter of which is incorporatedherein by reference, describes the extension of such techniques tomultiple-access systems including a plurality of receivers.

SUMMARY OF THE INVENTION

According to a first aspect of the present invention, a method ofcommunicating a key between a transmitter and a receiver using quantumcryptography is characterised in that the method includes the initialsteps of:

(a) outputting a single-photon signal;

(b) modulating the single-photon signal at the receiver and returningthe modulated signal to the transmitter; and

(c) detecting at the transmitter the returned signal modulated by thereceiver in step (b).

Preferably in step (a) the single-photon signal is output from thetransmitter, but alternatively a separate source may be used to outputthe signal.

The method adopted in the present invention makes possible a dramaticreduction in the cost and complexity of the communication system. Evenin a system with a single transmitter and receiver there are significantsavings, but the savings are particularly marked in a multiple-accesssystem. Hitherto, using the conventional quantum cryptography methodoutlined above, it has been necessary for each receiver to include botha modulator for selecting the measurement basis and also a single-photondetector to register the outcome of the measurement. The presentinvention however makes it unnecessary for the receiver to include asingle-photon detector and the generation of the single-photon signaland the detection of the single-photon signal may both be carried out inthe transmitter. The receiver, rather than detecting the incoming signaldestructively as before, is required only to modulate the signal and toreturn it to the transmitter. This can be achieved using in-linemodulators, e.g. phase or polarisation modulators, in a ringarchitecture, or alternatively using star, tree or bus architecturesincorporating reflective modulators at each receiver.

A further advantage of the present invention is that it makes possiblethe use of a channel calibration function as described in theapplicant's co-pending international Application No. PCT/GB93/02637(WO94/15422corresponding U.S. Ser. Nos. 08/617,848; 08/612,881; and08/464,710 now U.S. Pat. No. 5,675,648) the subject matter of which isincorporated herein by reference, with that function confined to thetransmitter, rather than having to be carried out across the networkfrom the transmitter to each receiver.

The single-photon signals as initially output on the quantum channel maybe unmodulated, in which case the receiver may select (randomly or on abasis producing random-like statistics) one of a plurality of encryptionalphabets corresponding to different non-commuting quantum mechanicaloperators.

As discussed in our above cited co-pending applications, single-photonpulses may be obtained from a parametric amplifier source or,alternatively, weak pulses of light from an attenuated laser which ingeneral contain no more than one and on average substantially less thanone photon per pulse may be used. Both types of pulse exhibit therequired quantum mechanical properties and the term "single-photonpulse" is used herein to denote all such pulses irrespective of how theyare produced. The pulses are encoded in different phase or polarisationstates.

While the protocol adopted in this aspect of the invention can beimplemented with the transmitter outputting unmodulated single photons,a further increase in security can be obtained if the transmittermodulates the photons before they are output to the receiver. Thetransmitter may be, for example a network server or "controller"incorporating both a transmit section and a detector section. As before,the receiver then modulates the received photon non-destructively andreturns them to the transmitter. The modulation at the receiver takesthe form of an additional modulation, e.g. a phase shift, in addition tothat imposed initially at the controller. The controller's transmitsection may, for example, use two encoding bases with four possiblephase states in total

    ______________________________________                                        BASIS 1: 0° = 0, 180° = 1                                                         BASIS 2: 90° = 0, 270° = 1                    and its detector section may use two measurement bases                        BASIS 1: 0°                                                                              BASIS 2: 90°                                         ______________________________________                                    

In operation the controller's transmitter section randomly encodes eachphoton with one of the four phase states, and randomly choses one of thetwo bases for the measurement of the photon in its receiver sectionafter propagation around the network. During key distribution a givenuser Ri randomly modulates each photon with phase shifts e.g. phi=0° or90°, that is using two phase shifts corresponding to symbols fromdifferent encryption alphabets (where "encryption" here as above refersto the coding used in the key distribution procedure). After thetransmission the controller analyses the received data for deterministicevents, of the type listed below, which reveal Ri's modulator settingunambiguously:

(here D (disagree) implies sent bit not equal to received bit, and A(agree) implies sent bit equals received bit)

Controller used basis 1 for send and receive: D implies user phaseshift=90°

Controller used basis 1 for send and basis 2 for receive: D implies userphase shift =0°

Controller used basis 2 for send and receive: D implies user phaseshift=90°

Controller used basis 2 for send and basis 1 for receive: A implies userphase shift =0°.

The controller keeps this data which corresponds on average to 1 in 4 ofthe received bits and discards the rest, and completes the protocol bypublicly revealing to Ri the time slots in which these events occurred.The controller and Ri can now use the designation 0°=0, 90°=1, forexample, to generate a shared key. If an eavesdropper has broken intothe network at some point, or the system suffers from noise (which isalways the case in practice), the key will contain errors. Thecontroller and R_(i) check this error rate during the public discussionand either discard the transmission if the level of eavesdropping is toohigh or use error-correction and privacy amplification to generate ashorter highly secret key. Note that in the current scheme keydistribution is performed sequentially with each user on the network.However, if any other user R_(i) were to perform synchronous modulationsduring key distribution to R_(i), this would be detected via anincreased error rate just as in the case of an eavesdropper. This schemehas the added advantage that the receiver only needs to provide twopossible phase shifts, not four, thus simplifying the drive requirementsfor its modulator.

A second aspect of the present invention again uses a looped-back pathfrom the receiver to the transmitter. In this aspect, however, theoperation of the system resembles conventional quantum cryptography inthat the transmitter initially modulates an outgoing single-photonsignal using a randomly selected encryption alphabet and at least someof the signals modulated in this manner are detected destructively atone or more receivers.

According to the second aspect of the present invention, there isprovided a method of communicating a key between a transmitter and areceiver using quantum cryptography characterised by a step of returningto the transmitter at least some of the encoded single-photon signalsoutput by the transmitter, and subsequently comparing the states of thesignals as transmitted and received at the transmitter, therebydetecting the presence of any eavesdropper intercepting the signal.

Others of the single-photon signals may be detected destructively at thereceiver.

This aspect of the present invention may be used between a singletransmitter/receiver pair, but again is particularly advantageous whenused with a multiple-access network such as that disclosed and claimedin the present applicant's above-cited co-pending Internationalapplication, (PCT/GB94/01952 corresponding to U.S. Ser. No. 08/605,048).

Using conventional quantum cryptography, while it is possible reliablyto detect an eavesdropper who breaks into the quantum channel only, aneavesdropper can evade detection if he intercepts both the quantumchannel and the public (classical) channel and imitates the legitimatereceiver to the transmitter and the transmitter to the receiver. Howeverwhen this aspect of the present invention is used, part of the publicchannel for the comparison of transmitted and received data is in effectmade internal to the transmitter. This makes successful, undetected,intervention by an eavesdropper much more difficult. Additionally, as inthe case of the standard point-to-point schemes, the looped network canbe made completely secure against this attack on both channels by theuse of secure authentication procedures as described in theBennett/Brassard IBM Technical Disclosure Bulletin.

According to a third aspect of the present invention, there is provideda communications system for use in a method of quantum cryptographycomprising a transmitter, one or more receivers, a network linking thetransmitter to the or each receiver, and a source for generating asingle-photon signal, characterised in that the or each receiverincludes a modulator arranged to modulate a single-photon signalreceived from the source using a chosen modulation state, and isarranged to return the modulated single-photon signal to thetransmitter, and in that the transmitter includes a single-photondetector arranged to detect the returned single-photon signal.

According to a fourth aspect of the present invention, there is provideda communications system for use in a method of quantum cryptographycomprising a transmitter, one or more receivers, and a network linkingthe transmitter to the or each receiver, the transmitter including meansfor generating a single-photon signal and modulating the single-photonsignal using a chosen encryption alphabet, the or each receiverincluding a single-photon detector for detecting a single-photon signalfrom the receiver, characterised in that the network includes alooped-back path for returning at least some of the single-photonsignals output by the transmitter to the transmitter, and in that thetransmitter includes a single-photon detector arranged to detect thereturned single-photon signal, in use the transmitter comparing thestates of the single-photon signals as transmitted and returned.

BRIEF DESCRIPTION OF THE DRAWINGS

Systems embodying the different aspects of the present invention willnow be described in further detail, by way of example only, withreference to the accompanying drawings, in which:

FIG. 1 is a block diagram of a ring network embodying the first aspectof the present invention;

FIG. 2 is a block diagram of a single-photon detector for use with thenetwork of FIG. 1;

FIG. 3 is a block diagram of a ring network embodying the second aspectof the present invention;

FIGS. 4a and 4b are block diagrams illustrating the intervention of aneavesdropper in a point-to-point link and a ring network respectively;

FIGS. 5a and 5b are a transmitter output stage and a receiverrespectively;

FIG. 6 is a block diagram of a receiver for use with the networks ofFIGS. 3 and 5;

FIG. 7 is a block diagram showing a branch network in which the ithreceiver is looped-back to the transmitter; and

FIG. 8 is a flow diagram.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

As shown in FIG. 1, a communication system comprises a transmitter or"exchange/controller" T connected to three receivers R1-R3 via a passiveoptical network N having a ring topology. The transmitter T includesboth a quantum channel source 1 for use in establishing a key by quantumcryptography, as further described below, and also a conventionalintensity-modulated source for outputting a signal carrying conventionaltraffic. The quantum channel source 1 and standard source 4 operate atdifferent wavelengths λ_(q) and λ_(s) respectively. The output from thequantum source 1 passes through a switchable attenuator 9 and apolariser and band-pass filter 8 tuned to the quantum channel wavelengthλ_(q).

Each receiver comprises a first standard detector 5 for the signalchannel on λ_(s), a detector 10 for multi-photon timing signals at thequantum channel wavelength λ_(q), and a modulator 2, which in thepresent example is a polarisation modulator. The clock detector 10 isconnected to the network N by a fibre coupler 11 which provides a weaktap at λ_(q). The detector 5 for the signal wavelength is connected tothe network by a WDM (wavelength division multiplexer) coupler 7. TheWDM is a fibre coupler with a wavelength-dependent couplingcharacteristic. In the present case, the WDM ideally provides astraight-through route for the quantum channel, i.e. the couplingfraction out of the loop is small at λ_(q), whilst at the signalwavelength λ_(s) the coupling fraction has a much larger value f_(s).Appropriate values are discussed below.

In use, the transmitter distributes keys sequentially to each of thereceivers on the network using steps (a) to (g) of the modified protocoloutlined above. At the start of this process, the system is initialisedby outputting a multi-photon timing and calibration signal on thequantum channel wavelength λ_(q). The timing and calibration processesare described in further detail in the abovecited co-pendinginternational application. Each receiver monitors thesetiming/calibration pulses via a weak tap and a standard (i.e.multi-photon) detector 10 and thereby synchronizes its local clock withthe transmitter. A detector system 3 in the transmitter includes asingle photon detector which in the present example is an avalanchephotodiode APD. Other detectors sensitive to single photons may be used,e.g. a photomultiplier tube. The APD is at this stage weakly biased inorder to reduce its sensitivity and thereby avoid saturation effectsfrom the multi-photon pulses. The output of this detector is monitoredin order to linearise the polarisation state at the output of the ringusing the polarisation controller 21, FIG. 2.

The quantum key distribution channel is arranged to operateindependently of other transmission channels which use the network tocarry either the encrypted data or standard (non-encrypted) signals.This is important since the quantum channel operates in a non-continuousburst transmission mode, whereas in general the data channels will berequired to provide uninterrupted continuous transmission. The requiredseparation of the quantum channel may be provided through use of areserved wavelength, different from that used by the data channels. Inthis case the quantum channel could be isolated by means ofwavelength-sensitive passive optical components such as WDM couplers(e.g. Scifam Fibre Optics P2SWM13/15B) and filters (e.g. JDS TB1300A).The quantum channel may lie within the 1300 nm telecommunication windowalong with several other channels reserved for conventional signaltraffic. Alternatively the 850 nm window is reserved for the quantumchannel. This has the advantage that singles-photon detectors for thiswavelength (Silicon APDS) are relatively insensitive to 1300 nm lightand therefore isolation from the data channels is easier to achieve.This approach would require WDM couplers such as the JDS WD813 tocombine and separate the quantum and conventional channels.Alternatively the 1500 nm band might be used for conventional signaltraffic while the 1300 nm band is reserved for the quantum channel.Since, the sensitivity of germanium APDs is high at 1300 nm and fallsrapidly for wavelengths longer than about 1400 nm, these detectors wouldbe an attractive choice for this particular wavelength division scheme.The wavelength separation technique would also allow active componentssuch as optical amplifiers (e.g. erbium or praseodymium rare-earth-dopedfibre amplifiers) to be used at the data channel wavelengths, whilstoperating the quantum channel at a wavelength outside the spontaneousemission spectrum of the amplifier. If this were not the case, thespontaneously generated photons from the amplifier would easily saturatethe detectors on the quantum channel.

Alternatively, it is possible to operate the quantum and data channelsat the same wavelength, and achieve isolation by means of polarisation-or time-division multiplexing. The former case uses phase-encoding forthe quantum channel, as described, e.g., in our co-pending Internationalapplication PCT/GB 93/02637. The data channel operates on the orthogonalpolarisation mode of the fibre, with isolation obtained by means ofpolarisation splitting couplers such as the JDS PB 100. In thetime-division scheme, certain time slots are reserved for multi-photondata pulses which are detected by standard receivers linked to thenetwork via standard fibre couplers. Saturation of the single-photondetectors during these time slots could be prevented either by means ofswitchable attenuators (intensity modulators) or by turning off thereverse bias to the devices. Any of these isolation techniques may alsobe employed to send the system timing information concurrently with thequantum key data. This approach may be useful if, for example, thetiming jitter on the receiver local oscillators is too large to maintainsystem synchronisation over the timescale required for the quantumtransmission. A further alternative technique provides the timing dataconcurrently with the quantum transmission using the same wavelength asthe quantum channel. The receiver now contains, in addition, a standarddetector such as a sensitive PIN-FET that is connected to thetransmission fibre by a weak fibre tap that splits off e.g. -10% of theincoming pulse intensity. The intensity of every n-th pulse is madesufficiently large, say 10⁵ photons, that the standard detectorregisters a pulse which can be used for timing purposes. If n issufficiently large, e.g. 1000, the APDs will not suffer from heatingeffects or saturation, and a ×1000 frequency multiplier can be used inthe receiver to generate a local oscillator at the clock frequency.

Subsequently to the timing/calibration the attenuator 9 is switched onto attenuate the source so as to produce a single-photon output.Linearly polarised single photons are then transmitted onto the network.At a designated receiver, the single-photon signal is modulated using arandomly chosen polarisation base, e.g. the rectilinear (0°, 90°) ordiagonal (-45°, +45°) polarisation states. The receiver records thestate used in each time slot. The modulator used in the receiver maytake the form of a solid-state or a liquid crystal-based Pockel's cell.The modulator may be a chiral Smectic-C LC cell, or a stack of suchcells, as described in our above-cited co-pending internationalapplication (U.S. Ser. No. 08/605,048).

After passing through the modulator, the single-photon signal travels onand is again received back at the transmitter. There the transmittermakes a random choice of which measurement basis to use with thereturned photon, and registers a 1 or a 0 depending upon the detectedpolarisation state.

In the present embodiment, the single photon detector system referenced3 in FIG. 1 has the structure shown in FIG. 2. A polarisationsplitter/combiner outputs a photon from one or other of its portsdepending on the photon's polarisation state. Rather than using aseparate APD for each output port, a single APD is used connected to thesplitter/combiner by a network providing paths of different lengths forthe outputs of the different ports. The APD may be a silicon orgermanium APD such as the SPCM-100-PQ (GE Canada Electro Optics) or theNDL5102P (NEC). The APD has sufficient time resolution to distinguishthe delay when a photon arrives via the longer path, and hence eachphoton is registered as a 0 or a 1 depending upon when it arrives duringthe clock period. The recombination of the two paths can be performedwith very little loss using a second polarisation splitter coupler whichnow acts as a 2-into-1 polarisation combiner. An appropriatepolarisation splitter coupler is the JDS PB100. When used as a combinerit gives a loss of around 0.6 dB. Alternatively a standard 50/50polarisation independent coupler such as the Sifam P2S13AA50 could beused for recombination of the two paths, but this leads to a 3 dB losspenalty.

Polarisation couplers such as the JDS PB100 are 1-into-2 fibre couplerswhich separate the two orthogonal polarisation modes of the input fibreinto two output fibres with the horizontal mode in one fibre andvertical in the other. This is functionally equivalent to a bulk-opticspolariser such as a Wollaston prism. If the direction of input to apolarisation splitter is reversed, then a horizontally polarised statein one fibre can be coupled to a vertical state in the other fibre toform a low loss 2-into-1 coupler.

After the transmission of a number of such single-photon signals a"public" discussion phase is carried out, with the transmitter andreceiver comparing the states of the signals modulated by the receiverand subsequently detected at the transmitter. This corresponds to steps(d) to (f) of the protocol outlined in the introduction above: It maytake place on a separate optionally non-optical network, or as in thisembodiment, on the same network as the other steps. It involves thereceiver and the transmitter comparing publicly which bases they used ineach clock period (but not the type of bit sent or received). They canthen decide upon a list of clock periods in which (1) they both used thesame basis and (2) a photon actually arrived back at the transmitter. Inthe case of an ideal error free channel, and if no eavesdropper ispresent, they expect their data for these clock periods to be in perfectagreement. Consequently, they can then publicly compare the actualresults i.e. 0/1 sent, 0/1 received for a small subset of this data. Anyerrors detected by a statistical test of this data subset would revealthe presence of an eavesdropper on the network. In the absence of anysuch errors, the transmitter and receiver can confidently use theremainder of the data as a shared secret key for subsequent encodedtransmissions between themselves. Practical quantum channels, however,will suffer from unavoidable background error rates due to detector darkcounts, and environmentally-induced fluctuations in the polarisation (orphase) state in the fibre etc. In this case the public discussion phasecontains an additional stage of error correction and so-called "privacyamplification", as further discussed in our above-cited co-pendinginternational application filed today (ref: 80/4541/03). This bothensures that the transmitter and receiver end up with identical keys andthat any key information leaked to an eavesdropper is an arbitrarilysmall fraction of one bit. This procedure is outlined in C. H. Bennett,F. Bessette, G. Brassard, L. Salvail and J. Smolin: "ExperimentalQuantum Cryptography", J. Cryptology, 5, 3 (1992).

FIG. 8 is a flow diagram illustrating the procedure discussed above andindicating the flow of information between the transmitter (or"controller") and receiver via the public channel.

In the example shown in FIG. 1, standard signal traffic is carried onthe network using a second wavelength λ_(s). This data isintensity-modulated and is accessed at each receiver via a WDM couplerthat ideally has coupling ratios of 0 and x at wavelengths λ_(q) andλ_(s) respectively, where x is determined to meet the criterion that allreceivers on the network require a measurable signal. The datatransmitted on the signal channel may be encrypted using the keysdistributed over the quantum channel. At the end of steps (e) and (f) ofthe quantum cryptography protocol, the transmitter has established adistinct sequence of r secret bits with each ith terminal R_(i) on thenetwork. These secret bits can be used both for authentication and thegeneration of a respective shared key K_(i), as described for thestandard point-to-point application in C. H. Bennett, F. Bessette, G.Brassard, L. Salvail and J. Smolin: J. Crypt., 5, 3 (1992) andBennett/Brassard IBM Tech. Discl. (already referenced above). Ifrequired, the controller/transmitter can then use the individual K_(i)as keys in one-time pad encryptions of a master network key or keys. Thelatter can then be securely distributed to all receivers/terminals, orsubsets of terminals, on the network. Consequently, two types ofencrypted communication are enabled. In one-to-one communications thecontroller and R_(i) use K_(i) to encrypt the multi-photon data signalsthat are broadcast in either direction on the network. Hence, althoughthese signals are broadcast on the network and are therefore accessibleto all receivers, only R_(i) and the controller can decode theseparticular data transmissions. In this scenario secure inter-terminalcommunications can still take place between e.g. R_(i) , and R_(j),however the controller must act as an interpreter using its knowledge ofK_(i) and K_(j) to decode and encode the incoming and outgoing signals.Any-to-any communications can also take place among subsets of terminalssharing a master key, and in this case, if a transmission path goes viathe controller, the controller only needs to perform routing orre-transmission of the incoming encoded data. A fresh key may betransmitted periodically, to maintain security.

The use of a multiple-access network and the establishing of differentkeys at different receivers on the network is described in furtherdetail in the abovecited International application filed this day.

In the embodiments discussed above with reference to FIG. 1 and belowwith reference to FIG. 3, the single photons are transmitted in theopposite direction to the multi-photon signal pulses. This is notessential, however, bi-directional transmission helps to isolate the twochannels by exploiting the directionality of the fibre couplers tominimise the number of signal photons incident on the quantum channelsingle-photon detector. The necessity for such isolation will depend onthe relative sensitivity of the single-photon detector at the quantumand signal channel wavelengths (λ_(q) and λ_(s)), and on whether the twochannels are required to operate at the same times. However, since thepower in the signal channel is likely to be >10⁶ times that in thequantum channel, it is necessary to consider the possibility that thesignals could readily saturate the single-photon detector and hencegenerate errors in the quantum transmission. Therefore, isolation of thetwo channels is likely to be increased by the use of a WDM couplerand/or an in-line filter in front of the single photon detector, whichpasses λ_(q) but strongly attenuates λ_(s). (Note that component 8 inFIG. 1 already contains such a filter to isolate the quantum channelsource from the signal channel). The degree of attenuation required atλ_(s) will be increased if the signal and quantum channels aretransmitted uni-directionally, but will still be achievable using theabove cited methods. Appropriate fibre filters can be based uponfibre-gratings made using photo-refractive techniques.

FIG. 3 shows a first embodiment of the second aspect of the presentinvention. This example again uses a ring topology with atransmitter/exchange 1 connected via the ring to a plurality ofreceivers Ri-Rn.

The transmitter now contains a polarisation modulator 2 which is used toencode each photon with one of the possible quantum states as in thestandard protocol. Unlike in the scheme shown in FIG. 1, the couplers 11are chosen so that a substantial fraction of the photons in the quantumchannel are tapped off at each receiver 12 and destructively measured asdescribed in the standard protocol. For the example of the threereceiver network, the sequence of couplers 11 may have couplingfractions of 25%, 33% and 50% respectively. In this case, if the loss inthe transmission fibre is negligible, the three receivers and thetransmitter (via the return leg) will all receive equal fractions ofphotons. Each single photon receiver 12 has the configuration shown inFIG. 6.

A single photon detector comprising a polarisation modulator and ahighly biased avalanche photodiode APD (FIG. 2) is connected to eachcoupler output and to the return leg of the transmission fibre in thetransmitter/ exchange.

As seen in FIG. 2, the single photon detector comprises a polarisationcontroller 21 followed by a polarisation modulator 22. The output of themodulator 22 is passed to a polarisation splitter/combiner whichprovides outputs via two paths, one of the paths incorporating a delayloop 24. The two paths are combined at a second splitter/combiner 23 andthe resulting signal output to the APD 25.

The output of the APD is fed to a control processor 62 via a circuitcomprising a discriminator/ amplifier 63 and electronic filter 64 and alocal oscillator 65. The control processor 62 provides control outputsto the drive electronics 61 for the polarisation modulator and to thebias supply 66 for the single-photon detector APD.

The transmitter has an output stage which includes a single-photonsource and a polarisation modulator controlled by a microprocessor. Inaddition, the transmitter incorporates a single-photon detector, whichas in the receivers, may be formed from a highly biased silicon orgermanium APD together with an appropriate polarisation filter. In use,this detector is used to receive those photons which have not beendestructively detected at any of the receivers and which have returnedto the transmitter.

An alternative version of this embodiment encodes and decodes differentphase states rather than different polarisation states P. D. Townsend,J. G. Rarity and P. R. Tapster, Elect. Lett., 29, 1291 (1993) and P. D.Townsend, Elect. Lett. 30, 809 (1994)!. In this embodiment, thetransmitter of FIG. 5a is substituted for the output stage of thetransmitter exchange shown in FIG. 3, and similarly each of thereceivers is replaced by a receiver configured as shown in FIG. 5b. Inthe transmitter output stage of this embodiment, a first pulsedsemiconductor laser 51, operating at a first wavelength λ_(q), where,e.g., λ_(q) =1300 nm provides the optical source for the quantumchannel. The laser and a modulator driver 53 for a phase modulator 54are controlled by a microprocessor 55. The phase modulator 54 is locatedin one branch of the transmitter. A polarisation controller PC (e.g.BT&D/HP MCP1000) is located in the other branch of the transmitter. Asecond semiconductor laser 52 provides a bright multi-photon source at awavelength λ_(s) where, e.g., λ_(s) =1560 nm. This signal is used fortiming and calibration as described above. The signal at λ_(s) iscoupled to the output of the transmitter via a WDM coupler 56 which maybe, e.g. a JDS WD1315 series device.

As an alternative to the use of separate sources for the quantum channeland the timing signal, a single semiconductor laser may be used feedingits output via a fused fibre coupler FC to two different branches, oneincluding an attenuator, and the other branch being unattenuated. Anoptical switch may then be used to select either the bright orattenuated output. Depending upon the frequency requirement, either aslow electro-mechanical device such as the JDS Fitel SW12 or a fastelectro-optic device such as the United Technologies Photonics YBBMcould be used.

In the receiver of this embodiment, a respective control microprocessor57 controls the receiver phase modulator 58 via a modulator driver 59.The receiver control processor also controls a detector bias supply 600for the receiver single-photon detector 601. In both the transmitter andthe receiver, where the signal path branches, fused-fibre 50/50 couplersare used. Suitable couplers are available commercially from SIFAM asmodel P22S13AA50. The timing signal at λ_(s) is detected by a PIN-FETreceiver 604.

Appropriate phase modulators 54, 58 for the data encoding and decodingare lithium niobate or semiconductor phase modulators operating at,e.g., 1-10 MHZ. An appropriate lithium niobate device is availablecommercially as IOC PM1300. An appropriate driver for the phasemodulators is a Tektronix AWG2020, and this can also be used as a clockgenerator for the system. For the single-photon detectors, APDs asdiscussed above with reference to FIG. 3 may be used. Significantimprovements could be obtained by combining the phase modulators andfibre devices shown in FIGS. 5a and 5b into single integratedstructures. Variations on the current design or that discussed in P. D.Townsend, J. G. rarity and P. R. Tapster, Elect. Lett. 29, 634 (1993)could be integrated onto a lithium niobate chip with the fibre pathsreplaced by waveguides and the modulator region defined by electrodes asin a standard device. Alternative fabrication methods include e.g.photo-refractively-defined planar silica waveguide structures orsemiconductor waveguide structures. In general, integration should leadto improved stability and compactness for the transmitter and receiverstructures. In particular, this embodiment uses an NEC 5103 Ge APDcooled to 77 K using, e.g., Hughes 7060H cryo-cooler or a liquidnitrogen dewar or cryostat. In the receiver in this embodiment, just asingle APD is used with the signals corresponding to the differentbranches of the receiver being separated in time by virtue of a delayloop in the upper branch labelled "1". The key distribution protocolrequires each received photon to be associated with a given clock periodand also identified as a 0 or 1 depending upon which branch of thereceiver it comes from. These functions are performed by a time intervalanalyser 602 (e.g. Hewlett-Packard 53110A). The start signals for thisdevice are provided by the APD output after processing by a circuit 603comprising an amplifier and discriminator which may be respectively,e.g. Lecroy 612 and Lecroy 821.

The timing signal referred to above may take the form of either a singletrigger pulse, which is then used to initiate a burst of key data on thequantum channel, or as a continuous stream of pulses at the system clockfrequency which are used to re-time the receiver clock between keytransmissions. Before key transmission commences, the receiver variesthe phase modulator DC bias level in order to zero the phase shift inthe interferometer (i.e. photon transmission probability is maximised atone output port and minimised at the other). FIGS. 5a and 5b also showthe relative spatial, temporal and polarisation changes experienced bythe two components of a quantum channel pulse as they propagate throughthe transmitter and receiver. If all fibres in the system arepolarisationpreserving then no active polarisation control or staticpolarisation controllers are required in the system. However if standardfibre is used for the transmission link then active polarisation controlwill be required at the input to the receiver. This can be performedusing a standard detector, feedback circuit and automated polarisationcontrol as described in our co-pending International applicationPCT/GB93/02637 (WO94/15422).

Phase encoding as used in the version of this embodiment discussed abovemay also be substituted for polarisation encoding in any other of theembodiments described herein.

In use, the network of these embodiments is operated using theconventional quantum cryptography protocol, in that differentpolarisation (or phase) bases are randomly selected at the transmitterand used to encrypt outgoing signals. After a sufficient number ofphotons have been transmitted for each receiver to establish its ownkey, a "public discussion" phase is entered in which the transmitter andreceivers communicate using multi-photon signals to compare thestatistics of the transmitted and received signals. At this point, theconventional protocol is modified in that the comparisons carried out inthe control processor of the transmitter/exchange include comparisons onthe data signals received back at the transmitter/exchange single-photondetector. This part of the discussion phase is therefore internal to thetransmitter and so inherently less vulnerable to interceptions.

As seen in FIG. 4a, a conventional transmitter/receiver pair can besubject to a successful eavesdropping attack without that attack beingdetected, provided the eavesdropper can intercept both the public andquantum channels. This is taken account of in the standard protocols bythe use of secure authentication procedures, see for example theabove-cited IBM Technical Disclosure Bulletin. In the diagram thequantum channel is shown by the full line and the dashed line denotesthe public (classical) channel. However, the eavesdropper of FIG. 4awould still be detected successfully where the method of this aspect ofthe invention is used, since his presence would still be revealed bythat part of the public discussion phase which is carried out internallywithin the transmitter. Undetected eavesdropping of the system inaccordance with this aspect of the invention would require theconsiderably more complex structure shown in FIG. 4b.

A further possible attack upon such an implementation requires Eve (theeavesdropper) to intercept the quantum channel on both sides of a givenuser Bob. Then by transmitting and detecting a multi-photon signal Evecan determine unambiguously the state of Bob's modulator. Again inpractice it is likely to be very difficult for Eve to establishconnections to two or more points in the network. Nonetheless, where itdesired to protect against an attack of the type described this may bedone by providing at least one of the receivers on the network with aphoton detector connected to the network by a relatively weak tap. Thisphoton detector need not be of the sensitivity of the single photondetectors employed conventionally in receivers, nor need every user havesuch a detector. The presence of such a detector in the networkfacilitates the detection of any multi-photon probe used by Eve.

FIG. 7 shows a second embodiment of this aspect of the invention. Inthis embodiment a tree structure is used rather than a ring network. Oneor more selected receivers Ri are connected with an additional branch Biwhich is looped back to the transmitter. The network then functions inthe manner described above for each receiver R_(i) which is providedwith loop back to the transmitter. Other receivers on the network, suchas R1, use the protocol without the additional internal checks by thetransmitter. Such a network therefore is able to mix different levels ofservice providing different levels of security for different respectiveusers.

The system of the first embodiment may be modified to include some ofthe additional features of the second embodiment, thereby providingenhanced security. In particular, the transmitter/exchange structure ofFIG. 3 may be substituted for the transmitter/exchange of FIG. 1. Thetransmitter then, as in conventional quantum cryptography systems,randomly chooses between two encryption bases and uses the selectedbases to modulate an outgoing single-photon signal. Subsequently, as inthe first embodiment, the receiver modulates the received single-photonsignal non-destructively and returns the photon to the transmitter. Asdescribed in the introduction above, the receiver in this embodimentdoes not then need to choose between two different encryption bases butcan operate using a single predetermined encryption basis. Thistherefore simplifies the modulator structure required for the receiver.

What is claimed is:
 1. A method of communicating a key between atransmitter location and a receiver location using quantum cryptographyincluding the initial steps of:(a) outputting from the transmittinglocation a single-photon signal; (b) modulating the single-photon signalat the receiver location and returning the now modulated saidsingle-photon signal to the transmitter location; and (c) detecting atthe transmitter location the returned said single-photon signalmodulated by the receiver in step (b).
 2. A method as in claim 1 inwhich the transmitter outputs the single-photon signal in step (a).
 3. Amethod as in claim 2 in which the transmitter modulates the outgoingsingle-photon signal using a selected modulation basis, and uses thesame basis in detecting the returned signal in step (c).
 4. A method asin claim 1 in which in step (b) the receiver selects one of a pluralityof encryption alphabets corresponding to different non-commuting quantummechanical operators and modulates the single-photon signal using theselected alphabet.
 5. A method as in claim 1 in which in step (a) theoutput single-photon signal is modulated.
 6. A method as in claim 5 inwhich in step (b) the receiver modulates the single-photon signal usinga selected one of a pair of operators corresponding to symbols fromdifferent encryption alphabets.
 7. A method as in claim 1 in which instep (a) the signal is output from the transmitter onto amultiple-access network and for each output signal step (b) is carriedout by a respective one of a plurality of receivers connected to themultiple-access network.
 8. A method as in claim 1 furtherincluding:outputting a multi-photon signal onto a network from thetransmitter, returning the multi-photon signal to a receiver at thetransmitter, comparing the transmitted and received multi-photon signaland calibrating the transmitter in accordance with the results of acomparison therebetween.
 9. A method as in claim in which the step ofcalibrating the transmitter includes setting a variable modulator inaccordance with the results of the comparison to compensate for anyvariation in a signal parameter across the network.
 10. A method ofcommunicating a key between a transmitter location and a receiverlocation using quantum cryptography including the steps of:returningfrom the receiver location to the transmitter location at least somesingle-photon signals encoded and output from the transmitter location,and subsequently comparing states of the signals as transmitted andreceived at the transmitter location, thereby detecting the presence ofany eavesdropper intercepting the signal.
 11. A method as in claim 10 inwhich single-photon signals from the transmitter are output onto amulti-access network connecting the transmitter to a plurality ofreceivers.
 12. A method as in claim 11 in which a looped-back path forreturning single-photon signals to the transmitter is provided for someonly of the plurality of receivers connected to the network.
 13. Amethod as in claim 10 in which others of the single-photon signals aredetected destructively at the receiver.
 14. A communications system foruse in a method of quantum cryptography comprising:a transmitter, one ormore receivers, a network linking the transmitter to each receiver, asource for generating a single-photon signal, each receiver including amodulator arranged (a) to modulate a single-photon signal received fromthe source using a chosen modulation state and (b) to return themodulated single-photon signal to the transmitter, and the transmitterincluding a single-photon detector arranged to detect the returnedsingle-photon signal.
 15. A system as in claim 14 in which the sourcefor generating the single photon signal is located at the transmitter.16. A system as in claim 15 in which the transmitter includes amodulator for modulating outgoing single-photon signals.
 17. Acommunications system for use in a method of quantum cryptographycomprising:a transmitter, one or more receivers, a network linking thetransmitter to the or each receiver, the transmitter including means forgenerating a single-photon signal and modulating the single-photonsignal using a chosen encryption alphabet, each receiver including asingle-photon detector for detecting a single-photon signal from thereceiver, the network including a looped-back path for returning atleast some of the single-photon signals output by the transmitter to thetransmitter, and the transmitter including a single-photon detectorarranged to detect the returned single-photon signal, in use thetransmitter comparing the states of the single-photon signals astransmitted and returned.
 18. A system as in claim 14 in which thenetwork is a multiple access network connecting a plurality of receiversto the transmitter.
 19. A method of communication using quantumcryptography including:selecting at a transmitter one of a plurality ofencryption alphabets corresponding to different, non-commuting quantummechanical operators, and encoding a signal for transmission to thereceiver using the selected operator, a receiver further modulating thesingle-photon signal received from the transmitter and returning it tothe transmitter, the transmitter using the quantum mechanical operatorselected for the outgoing signal in detecting the returned signalmodulated by the receiver, and subsequently comparing the states of thesignals as transmitted and received at the transmitter, therebydetecting the presence of any eavesdropper intercepting thesingle-photon signal.